@lumens said in DNS Resolver in forwarding mode slow replies: But since i have configured my DNS Resolver in "Forwardind Mode", i would expect that the query to localhost would be comparable to the query to the dns server configured in the "General Setup" section (quad9 nameservers in my case). and unbound, using forwarder mode, is using port 853 and encrypts the traffic (TLS). Probably normal ( ? ), but unbound (forwarder) also asks for the AAAA, the NS, and CNAME, and also requests for dell.com.lum1.lan. I couldn't find the "A" request .... Btw : Why 9.9.9.10 as its for experts only ? What about 9.9.9.9 or maybe 9.9.9.11. edit : what happens when you ask for "www.micosoft.com." instead of "www.micosoft.com" ?

@johnpoz Thanks John, That works for me. The static reservations are all there. I don't use dynamic DHCP registrations into DNS (due to using DNSBL in Python mode)

@bearhntr Yes, sorry I missed that you weren't sure where to add the static entry in DNS. And as long as the DHCP scope options are giving out your DNS server IP as the DNS server- you don't have to add it on the general tab in PFSense, or set forwarding on the DNS tab. I have nothing set on the General tab for DNS, and it works fine. In DNS Resolver, General Settings, if you scroll all the way down to the bottom, there is a Domain Override section, where you can add your domain name and point it to your server's IP. As for RADVD, that's the Router Advertisement service. I know it is used when you setup IPV6, on the Services/DHCPv6 Server & RA/LAN/Router Advertisements.

@madtrick The IP variable is the same, but you have to set up a special IPv6 update client so that pfSense takes the IPv6 interface address. https://dyndns.inwx.com/nic/update?myipv6=%IP%

@nocling Thanks for this, much appreciated. Seem to have this now working stable. So far so good. The WebGui still times out when saving any Dynamic DNS configuration changes, but the changes do save correctly and updates are happening for the DNS.

@scubanarc yup that would be a directed query specific to pfsense.. You should hope to glean something from that - timeout, nx, refused - something ;)

@johnpoz Thanks my Brother - I will be on my best behavior - and use my best polite mannerable demeanor. God Bless You and Yours - and Stay Safe

@gertjan I did end up removing the 1.1.1.1 and 8.8.8.8 dns servers.. and no im not on the latest im on 2.5.1

@user3124 We've all been there but it is what it is.

@steveits said in Using pfSense as firewall and Windows Server as DHCP and DNS server: The "private-domain" setting is to allow public DNS servers to return private IPv4 addresses What it allows for any upstream or forwarded to NS to return rfc1918 space and not be considered a rebind. But when you create a domain override entry - it is now automatically added as private domain.. There is no "need" to add it to the advanced option section of unbound gui

@jawz101 well you could create blocks for all non public tlds that you would like to block - but what on your network would be looking for those, if wasn't in your search suffix.. The possibilities are pretty infinite for non actual tlds ;) But only those in your search suffix would be added by clients.

@linuxgae said in Unbound frequently restarting and occasionally crashing: and unckecking Register DHCP static mappings in the DNS Resolver. That one isn't needed as they are loaded on system start, and only change when the admin adds a static lease, which is not very often. @linuxgae said in Unbound frequently restarting and occasionally crashing: Of course you will have to come up with an alternatives to resolve hosts that are local Give your known local device, the ones you need to talk to, like NASes, printers and other file servers a static MAC lease and you'll be fine.

@kilburnflyer Solved: subscriptions/[YOURSUBSCRIPTIONID/resourceGroups/north-europe-default/providers/Microsoft.Network/dnsZones/[YOURDOMAIN] do not put api version in there. in hostname only put value before i.e. RECORD i.e. RECORD.[YOURDOMAIN] Relevant link in source code helped debug

@gertjan hmm i gues using 2 network cards makes sense, but it's just a small office with 50 hosts and i saw alot of videos out there using laptops with usb to Ethernet port

Sorry for bringing back a 4 year old thread, but I think I got this working for me in OPNSense using Unbound and I wanted to update the thread with a solution in case anyone else is looking. This is the only useful result that comes up when searching for making Mobility Print work with Unbound. This hint about using typetransparent seems to make it work without doing anything else special. I set that through the GUI in OPNSense but I believe the relevant config line it results in is: local-zone: "mydomain" typetransparent I think these are the other relevant parts of the config files - in OPNSense I created a custom config file to add the entries as they removed the "advanced" box on the current release. (the OPNSense config file has a include: /var/unbound/etc/*.conf where custom entries go) root@OPNsense:/var/unbound/etc # cat mobilityprint.conf server: local-data: "b._dns-sd._udp.mydomain IN PTR pc-printer-discovery.mydomain" local-data: "lb._dns-sd._udp.mydomain IN PTR pc-printer-discovery.mydomain" local-data: "pc-printer-discovery.mydomain IN NS lxc-print.mydomain" I didn't add the A record here, since I have a static DHCP lease for my Mobility Print server called lxc-print, but that record is just: local-data: "lxc-print.mydomain IN A 10.10.5.17" Everything passes in the Mobility Print DNS setup page and I get the correct results from nslookup: lvm-debian-1:~> nslookup -query=ptr b._dns-sd._udp.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 b._dns-sd._udp.mydomain name = pc-printer-discovery.mydomain. lvm-debian-1:~> nslookup -query=ptr lb._dns-sd._udp.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 lb._dns-sd._udp.mydomain name = pc-printer-discovery.mydomain. lvm-debian-1:~> nslookup -query=ns pc-printer-discovery.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 pc-printer-discovery.mydomain nameserver = lxc-print.mydomain. lvm-debian-1:~> nslookup lxc-print.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 Non-authoritative answer: Name: lxc-print.mydomain Address: 10.10.5.17

@johnpoz said in DNS Resolver domain override issue for just one client in the same network: @kevindd992002 ha - they seemed to have changed it to help users doing local forwarding. I just added a couple of test domain forwards for testing to a local ns.. And look what gets added to the conf ;) [image: 1633543042040-overrides.jpg] I do not recall seeing this in the release notes? But there it is.. look in your [21.05.1-RELEASE][admin@sg4860.local.lan]/: cat /var/unbound/unbound.conf [image: 1633543158060-conf.jpg] I wonder when that got added - I am pretty freaking sure it didn't use to do that.. edit: Well F me - looks like that was added sometime back in 2017 from looking through the github code for unbound.inc.. Lol, that makes total sense th!en. Thanks for the help!

@nicolas-pissard if your having problems with dhcp you need to make sure pfsense is actually seeing the dhcp discover or request.. And then it should offer, or provide some info to why it can not.. Maybe dhcpd has stop running? Maybe client is asking for IP it can't use on this network, and won't accept offer? There are many things that could cause problems sure - but an expired lease should not prevent it from being offered up if there are no other free IPs from the pool to hand out. dhcpd should use up all of its IPs first, and then once it has handed them all out. It will use those leases that have expired.. Where you run into problem is no expired leases, and no free IPs - then yeah nothing to hand out. Maybe you have a client asking for specific IP back, and some other client has active lease for that IP.. And the client will not accept different offer of different IP?

@cri glad to hear.. Thanks for followup.